Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …
THE BIG STORY:
–STUNG WRAY: During a congressional hearing, FBI Director Christopher Wray on Thursday faced questions about the bureau’s failure to notify thousands of additional targets of the phishing campaign that ensnared former Clinton campaign chief John Podesta. The AP contacted 80 of those targeted by the believed-to-be Moscow aligned hackers, with only two reporting they had been contacted. “Can you explain why these individuals had to learn from The Associated Press that they were targets of an aggressive Russian hacking effort?” Rep. Zoe Lofgren (D-Calif.) asked at the House Judiciary Committee hearing. Wray did not specifically address the media report but went on to describe the “very well-established” criteria and procedures the FBI uses when assessing whether to notify breach victims. Wray explained that, before making a decision, FBI agents assess whether they can properly identify the victim; whether the information they have can help the victim protect themselves or mitigate any damage; and whether such a notification would “potentially compromise or jeopardize an existing investigation or reveal sources and methods.”
–…WHY WRAY’S RESPONSE DOESN’T RESOLVE THE ISSUE: The AP was able to contact victims of the campaign because a private contractor uncovered a list of 19,000 phishing targets, including Podesta, while it traced an attack on one of its clients. Because Secureworks, the contractor, publicly announced it had discovered the list over a year ago, there would not be any risk of outing sources or methods. And if the AP was able to contact 80 targets, it stands to reason the FBI would have been able to as well.
To read the rest of our piece, click here.
A CAPITOL HILL UPDATE:
DEMS SKEPTICAL OF FACEBOOK MESSENGER FOR KIDS: Two Senate Democrats are questioning the privacy and security of Facebook’s new messaging app, which is designed for kids under 13.
Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.), who are both members of the Senate Commerce Committee, expressed their concerns in a letter to Facebook CEO Mark Zuckerberg on Thursday.
“We remain concerned about where sensitive information collected through this app could end up and for what purpose it could be used,” they wrote. “Facebook needs to provide assurances that this ‘walled garden’ service they describe is fully protective of children.”
The senators want proof that Facebook is complying with Children’s Online Privacy Protection Act, a Federal Trade Commission regulation that imposes rules on collecting data from children on the internet.
The social media giant noted in its rollout that Messenger Kids will only collect minimal amounts of data from users to improve the app and will not to sell that data to third parties. The company also said it will not automatically migrate Messenger Kids accounts into Facebook pages when the app’s users turn 13.
Markey and Blumenthal asked if Facebook would “commit that it will never change that policy and keep all its applications and services for children 12 and under” free of advertisements.
The two pressed Facebook on possible ways it could still collect or distribute data, despite the company’s assurances.
To read the rest of our piece, click here.
A LIGHTER CLICK:
HAMBURGERS ARE A GATEWAY DRUG: There’s an Archie vampire comic. Jughead isn’t the vampire. Overnight Cyber doesn’t get it.
A REPORT IN FOCUS:
ASHLEY MADISON DEFAULT SETTINGS PROBLEM EXPOSED USERS EXTREMELY PRIVATE PHOTOS. Adultery-focused dating site Ashley Madison had a flaw in its site design allowing any member to retrieve anyone else’s often explicit photos.
The affair matchmaker stumbled into the public consciousness in 2015 after a massive data breach exposed account information for its client base.
The recent discovered security snafu, detailed by Matt Svensson and researchers at MacKeeper in a new report, was a problem in the site’s default settings. Unless a user tinkered with account settings to change it, users could access the photos of anyone they were willing to share their own photos with.
That meant users who believed they could control access to photos were not as secure as they thought.
According to the MacKeeper report, the privacy issues have been fixed.
WHAT’S IN THE SPOTLIGHT:
TRUMP JR.’S RUSSIA MEETING. A British publicist who arranged a June 2016 meeting between Trump campaign officials and Russians sent multiple follow-up emails later that summer to President Trump’s social media director and a Russian who was at the meeting, CNN reported Thursday.
Congressional investigators discovered the emails from publicist Rob Goldstone during a Wednesday hearing behind closed doors with Donald Trump Jr. None of the emails were sent directly to the president’s eldest son, CNN reported.
The emails raise new questions for congressional investigators looking into the details of what was discussed at the Trump Tower meeting.
Goldstone helped set up the meeting between Trump Jr. and Russian lawyer Natalia Veselnitskaya who had promised damaging material on Democratic presidential nominee Hillary Clinton.
Goldstone, White House senior adviser Jared Kushner and then-campaign chairman Paul Manafort were also present for the meeting, which took place at Trump Tower in New York.
After the meeting, Goldstone pitched White House director of social media Dan Scavino on creating an account for then-candidate Trump on the Russian social networking site VK, CNN reported.
CNN did not find any indication such a page was ever created. Scavino did not attend the meeting with the Russian lawyer.
In another email, Goldstone shared a story on Russia’s hacking of Democratic National Committee emails with his client, Emin Agalarov, and Ike Kaveladze, who attended the meeting as well.
To read the rest of our piece, click here.
IN CASE YOU MISSED IT:
‘Links from our blog, The Hill, and around the Web.
FBI director denies their reputation is “in tatters.” (The Hill)
ICYMI last night: Uber paid off a Floridian 20-year old to keep quiet on breach. (The Hill)
OP-ED: “The Social Security Number isn’t dead, but its days are numbered.” (The Hill)
Rep. Will Hurd (R-Texas) worries quantum computing will upend security. (Wired)
Deutsche Bank asks for more cryptocurrency regulation (Reuters)
…Meanwhile, another cryptocurrency exchange was plundered. (Sophos)
…Also: Are digital cats the future of cryptocurrency networks? (Motherboard)
FireEye thinks Iranian government-led hackers are exploiting a hole in Microsoft Office. (FireEye)
Texan lawmakers opted for a crash course in cybersecurity. (Texas Public Radio)
If you’d like to receive our newsletter in your inbox, please sign up here.